aws re:invent 2016: enterprise fundamentals: use aws to secure your devops pipeline like a bank...

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

DevOps Pipeline SecurityHow to use AWS to secure your DevOps Pipeline like a bank

Alan Garver AWS Sr. Professional Services Consultant

Chuck Dudley Stelligent Director Financial Services Accounts

Jamie Greco Citi Sr. VP Technical Program Management

ENT318

What to Expect from the Session

• Simple Secure Build Artifact Repository with AWS

• Advanced DevOps Pipeline Concepts

• Static Code Analysis for Infrastructure as Code

• Use AWS Config Rules and AWS Lambda to Monitor Resource Compliance

Technology Challenges in Financial Services

Regulatory

Requirements

Organizational

Boundaries

DEV OPSEngineering

Monolithic

Applications

Enable Continuous Delivery on the Cloud

Provisioning

Monitoring

CI / CD

Orchestration

Tokenization &

Encryption

• Deploy provisioning tools

• Practice to provision & manage all architecture and data

components (e.g. operating system )

• Implement automated systems to monitor infrastructure and

applications to alert abnormal conditions.

• Align disintegrated tools, people, controls and processes

• Focus on automated builds, orchestration & deployment

capabilities.

• Manage overall orchestration governing different actions and

phases that make up the deployment pipeline (e.g. code check-

in to go-live on cloud)

• Consistent way to protect information

Establish Cloud platform and enable developers to build and rapidly deploy

Journey to Decouple the Mainframe and ESB

& Control Teams

Empower teams to accelerate decision making and delivery

Empowering Teams

DEDICATED

TEAMS

Organize in 2-pizza teams

Map capabilities to service owners with

dedicated teams

OWNERSHIP

Autonomous teams that can build, test and

deploy independently

Decision making authority for service at team

level

TRANSPARENCY

Inspection and transparency of the team

performance, service capability and roadmap

Services are tracked, mapped and managed

via the Service Catalog

Technical Program Manager

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiiuKzfw43OAhXDNx4KHYl2AyAQjRwIBw&url=http://www.scrumhint.com/top-10-mistakes-made-new-agile-teams/&psig=AFQjCNFV2nLJBw_Z1moHuf9EkM6_qlCCZg&ust=1469498794814367

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiiuKzfw43OAhXDNx4KHYl2AyAQjRwIBw&url=http://www.scrumhint.com/top-10-mistakes-made-new-agile-teams/&psig=AFQjCNFV2nLJBw_Z1moHuf9EkM6_qlCCZg&ust=1469498794814367

Accelerating Innovation and Product Delivery

4 DELIVER ON STRATS

BUILD GLOBAL

CLOUD FOUNDATION1BUILD

MICROSERVICES2EMPOWER

TEAMS3

Create operating framework

Establish design patterns for

microservices

Build, re-use and extend services

Test driven development

Deploy cloud infrastructure

Establish scale and availability

Enable continuous

integration/continuous delivery

Protect Citi information

Build full stack, autonomous agile,

scrum teams

Single ownership structure

Empowered development with

decentralized functions

Continuous integration / deployment

SPEED, COST & QUALITYIMPROVING

The DevOps Pipeline

Continuous Delivery Pipeline

• A secure automated transport mechanism

• Moves a resources from point A to point B


• Transports code from development to production

• Tests ensure integrity and validity of the resource

• Resources morph from source, to executable, to

operational


• Failures stop the line, and prevent breakages to

production

• Fast feedback provided to the developer

• Customized to your software development lifecycle

AWS CodePipeline

• Quickly model and

configure release stages

• View progress

at-a-glance

• Use your favorite tools

• Integrates with other

AWS services

The Build Artifact Repository

The Build Artifact Repository

Storage of Build Artifacts for later deployment in the pipeline

Why Build Artifact Repository

• Build once, deploy many times

• Version control

• Artifacts available for later deploy events (Scale Up)

• Build Server and Deployed Services don’t need to talk to

each other

Pipeline Build Artifacts

Objects assembled during a build process from code used

for testing and convergence down stream in a pipeline

Chef

Cookbook

Code

.tar

Build

Artifact

# berks vendor

Build

# chef-client

Deploy

Amazon EC2

Instance

Running

System

Examples of Build Artifacts

ruby

python

chef

puppet

Amazon Linux

chocolatey

Simple Artifact Repository with AWS

Build System

Amazon EC2 at launch

Converging Systems

Artifact RepositoryAmazon S3 Bucket

1 detect commit

2buildmvn package

3 publishs3 put-object

4 launchec2 run-instances \

–-user-data

retrieves3 get-object

5

Pipeline Build Artifacts Like a Bank

Data Protection Entitlement Integrity

AWS KMS AWS IAM sha256sum

• Generate Data Keys for client side encryption

• Use Server Side Encryption integration with Amazon S3

• Use IAM Roles to grant access to resources

• Implement strict resource policies for S3

Buckets and KMS Keys

• Validate integrity with sha-sum

• Implement sha integrity database

Envelope Encryption with AWS KMS

$> aws kms generate-data-key \

--key-id alias/artifact-demo \

--key-spec AES_256 --output text \

--query [Plaintext,CiphertextBlob]

$> openssl enc -aes-256-cbc -salt \

–in source.tar \

–out encrypted.out \

-k ${Plaintext}

$> tar –czvf artifact.tgz \

encrypted.out \

CiphertextBlob.out

Source

encrypt

KMS

Artifact Repository on AWS with encryption

Build System


detect commit

2buildmvn package

5 launchec2 run-instances \

–-user-data

3 encryptkms generate-data-key

enc –k Plaintext

Client Side Envelope Encryption

Server Side Encryption

4 publishs3 put-object \

–-sse aws:kms

1

Entitle Access with Resource Policies


Artifact Encryption KeyAWS KMS Customer Master Key

S3 Bucket Policy KMS Key Policy




Converging Systems




1 decryptkms decrypt

2



Converging Systems

IAM Role

Instance Profile




Converging Systems




1 decryptkms decrypt

2

IAM Role

Instance Profile

Validate Artifact Integrity

$> sha256sum mysource

b2f3fb7e84761eac78eb34aaaae2793efb41f23141a31f2c mysource

$> tar –czvf artifact.tgz \

encrypted.out \

sha256sum.out \

CiphertextBlob.out

CiphtertextBlob

KMS

Encrypted

Source

Validate Artifact Integrity


1


3


Converging Systems

retrieve & unpacks3 get-object

decryptkms decrypt

2

verify${envelope_sum} == $(sha256sum)

4 validate authorizationdynamodb query $(sha256sum)

Authorized ArtifactsAmazon DynamoDB Table


• A secure automated transport mechanism

• Moves a resources from point A to point B

Commit Acceptance Capacity Pre-Prod Production

The Stelligent Pipeline

GOAL:

Fast feedback for developers

PIPELINE ACTIONS:

1. Unit Tests2. Static Code Analysis


The Commit Stage

GOAL:



The Commit Stage

SECURITY TESTS:

1. Security static analysis of application code

PIPELINE ACTIONS:


GOAL:



The Commit Stage

SECURITY TESTS:

1. Security static analysis of application code

2. Security static analysis of infrastructure code

PIPELINE ACTIONS:


Security Static Analysis of CloudFormation

• Security static analysis builds a model of templates in

order to verify compliance with best practices and

organizational standards.

• This can be a powerful tool to stop bad things before

they happen.

• A security organization can define their policy in code

and have all development efforts unambiguously verify

against that standard without manual intervention.

Static Analysis of CloudFormation with cfn-nag

The cfn-nag tool inspects the JSON of a CloudFormation

template before convergence to find patterns that may

indicate:• Overly permissive IAM policies

• Overly permissive security groups

• Disabled access logs

• Disabled server-side encryption

GOAL:

Comprehensive testing of the application and its infrastructure

PIPELINE ACTIONS:

1. Integration Tests2. Acceptance Tests


The Acceptance Stage

GOAL:

Comprehensive testing of the application and its infrastructure

SECURITY TESTS:

1. Infrastructure Analysis

PIPELINE ACTIONS:

1. Integration Tests2. Acceptance Tests


The Acceptance Stage

Testing Infrastructure Changes

Problems to solve:

• Prevent infrastructure changes that violate company

security policies.

• Need the ability to codify security rules and get

notifications when violations occur.

• Ability to execute on-demand compliance testing.

Testing Infrastructure Changes

AWS Config solves these problems, but…

• Pipeline enablement can be challenging.

• Console-centric.

config-rule-status

ConfigRuleStatus is an open source tool that enables continuous monitoring and on-demand testing of security compliance for infrastructure through the AWS Config service.

How does it solve the problem?

• Sets up AWS Config for resource monitoring.

• Creates Config Rules and Lambda functions to evaluate security compliance.

• Creates a Tester Lambda function that returns aggregated compliance status.

config-rule-status

How should it be used?

• The bundled CLI provides commands for deploying the

tool.

• The Tester Lambda function can be invoked with the

bundled CLI or the AWS CLI.

• Invoke it from a CD pipeline to catch policy violations

before they get to production.

Core Technology

config-rule-status

On-Demandcompliance testing for AWS Resources

GOAL:

Test the system under real world conditions

The Capacity Stage


PIPELINE ACTIONS:

1. Performance Tests2. Load Tests

GOAL:

Test the system under real world conditions

The Capacity Stage


PIPELINE ACTIONS:

1. Performance Tests2. Load Tests

SECURITY TESTS:

1. OWASP ZAP Pen Test2. OpenSCAP Image Testing

GOAL:

Go / no-go decision for blue/green deployment

PIPELINE ACTIONS:

1. Build Pre-Prod Stack2. Data Migration3. Blue/green Deployment


The Production Stage

SECURITY ACTIONS:

1. Prevent out-of-band changes2. Security metrics for feedback

loops

PIPELINE ACTIONS:

1. Build Pre-Prod Stack2. Data Migration3. Blue/green Deployment

GOAL:

Go / no-go decision for blue/green deployment


The Production Stage

Resources

stelligent.com/fin303

Thank you!

Remember to complete

your evaluations!